[Snort-devel] Re: Snort exploits

Martin Roesch roesch at ...402...
Thu Apr 18 21:55:02 EDT 2002

On 4/17/02 9:49 PM, "Vern Paxson" <vern at ...1275...> wrote:

>> The TCP evasions are fairly easily detectable as overlaps should not
>> normally occur.
> See the Bro paper - Bro has detected this possible evasion for many years
> now, and in fact we do see overlaps operationally, and unfortunately they're
> just about always innocuous (busted TCPs, not attacks), so alerting on them
> has a high false positive ratio.

Snort is capable of detecting a variety of TCP foolishness as well, it's
just turned off by default because people complain about the "noise".  To
enable Snort's TCP stream protocol violation alerts, configure the stream4
preprocessor the following way:

preprocessor stream4: detect_scans, detect_state_problems

>> Similarly the IP fragmentation detection just needs slightly more rigorous
>> overlap detection and alerting, as these overlaps will not be occurring
>> in normal situations.
> Also discussed in the Bro paper - we do see these in practice, both innocuous
> and as evasion attempts.

Snort has overlap detection and mitigation built into its frag2
preprocessor, I fixed it when Dug told me it was broken back in January.

>> For now as a workaround you can just alert on small
>> fragments (resurrect minfrag... heh) which should be indicative of games
>> being played.
> (same - you see tiny fragments for innocuous reasons, sigh)

More information about the Snort-devel mailing list